June 2026 Patch Tuesday: Microsoft Patches 206 Vulnerabilities Including Three Publicly Disclosed Zero-Days

Microsoft has addressed 206 vulnerabilities in its June 2026 security update release. This month's patches include fixes for three publicly disclosed zero-day vulnerabilities and 37 Critical vulnerabilities, along with 166 additional vulnerabilities of varying severity levels.

June 2026 Risk Analysis

This month's leading risk types by exploitation technique are elevation of privilege with 65 patches (32%), remote code execution (RCE) with 55 patches (27%), and information disclosure with 29 (13%).

Publicly Disclosed Elevation of Privilege Vulnerability in Windows Collaborative Translation Framework

CVE-2026-45586 is an Important elevation of privilege vulnerability affecting Windows Collaborative Translation Framework (CTFMON) and has a CVSS score of 7.8. CTFMON is a core Windows component that manages text input, handwriting recognition, and language services. A link following flaw (CWE-59) allows a low-privileged local attacker to elevate privileges with no user interaction and low attack complexity. Successful exploitation could grant an attacker SYSTEM privileges.

This vulnerability was publicly disclosed, though there is no evidence of exploitation in the wild. Microsoft assesses exploitation as more likely.

Publicly Disclosed Security Feature Bypass Vulnerability in Windows BitLocker

CVE-2026-50507 is an Important security feature bypass vulnerability affecting Windows BitLocker and has a CVSS score of 6.8. A missing authentication for a critical function flaw (CWE-306) allows an unauthenticated attacker with physical access to bypass BitLocker Device Encryption and gain access to encrypted data on the system storage device. While physical access is required, the attack requires no privileges or user interaction and has low attack complexity.

This vulnerability was publicly disclosed and proof-of-concept exploit code exists, though there is no evidence of exploitation in the wild. Microsoft assesses exploitation as more likely.

Publicly Disclosed and Critical Vulnerabilities in HTTP.sys

HTTP.sys is the kernel-mode HTTP server driver in Windows that handles HTTP and HTTPS requests directly at the OS level, used by IIS and other Windows web services; vulnerabilities here can be exploited remotely against any Windows server exposing web services without requiring authentication.

CVE-2026-49160 is a publicly disclosed Important denial of service vulnerability affecting HTTP.sys and has a CVSS score of 7.5. An uncontrolled resource consumption flaw (CWE-400) in HTTP/2 allows unauthenticated remote attackers to deny service with no user interaction and low attack complexity. As part of the available fix, Microsoft has introduced a new MaxHeadersCount registry setting that allows administrators to limit the number of headers accepted in HTTP/2 and HTTP/3 requests. There is no evidence of exploitation in the wild, though Microsoft assesses exploitation as more likely.

CVE-2026-47291 is a Critical RCE vulnerability affecting HTTP.sys with a CVSS score of 9.8. Integer overflow and heap-based buffer overflow flaws (CWE-190, CWE-122) allow unauthenticated remote attackers to execute code with no user interaction and low attack complexity. An attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack to trigger the vulnerability. Systems using the default MaxRequestBytes registry value of 16,384 bytes (16 KB) are not impacted. As a pre-patch mitigation, administrators can ensure this value is set to no higher than 65,534 bytes to avoid exposure.

Critical Vulnerability in Windows Kernel

CVE-2026-45657 is a Critical RCE vulnerability affecting the Windows kernel and has a CVSS score of 9.8. Use-after-free and heap-based buffer overflow flaws (CWE-416, CWE-122) allow unauthenticated remote attackers to execute code with no user interaction and low attack complexity. An attacker could send specially crafted network traffic to trigger a flaw in how the Windows kernel processes TCP/IP data, potentially enabling code execution with SYSTEM-level privileges without requiring authentication or user interaction.

Critical Vulnerability in Nuance PowerScribe

CVE-2026-26142 is a Critical RCE vulnerability affecting Nuance PowerScribe and has a CVSS score of 9.8. Nuance PowerScribe is a radiology reporting and workflow platform widely used in healthcare environments. This deserialization of untrusted data flaw (CWE-502) allows unauthenticated remote attackers to execute code and compromise sensitive medical data and clinical infrastructure with no user interaction and low attack complexity.

Critical Vulnerability in DHCP Client Service

CVE-2026-44815 is a Critical RCE vulnerability affecting the Windows DHCP Client Service and has a CVSS score of 9.8. A stack-based buffer overflow flaw (CWE-121) allows unauthenticated remote attackers to execute code with no user interaction and low attack complexity. An attacker could exploit this by operating a rogue DHCP server on the network and responding to DHCP requests from vulnerable clients with specially crafted data. Exploitation is contingent on the target calling the DhcpGetOriginalSubnetMask API; as a pre-patch mitigation, administrators should audit and, where possible, restrict applications that call this API.

Critical Vulnerability in Windows Active Directory Domain Services

CVE-2026-45648 is a Critical RCE vulnerability affecting Windows Active Directory Domain Services and has a CVSS score of 8.8. A stack-based buffer overflow flaw (CWE-121) allows any domain-authenticated attacker to execute code over a network with no user interaction and low attack complexity. An attacker with access to the NSPI RPC interface could provide crafted inputs that trigger an out-of-bounds write in the directory service process, leading to memory corruption and RCE. Standard domain credentials are sufficient to trigger this vulnerability.

Critical Vulnerability in Azure Kubernetes Service

CVE-2026-32193 is a Critical RCE vulnerability affecting Azure Kubernetes Service (AKS) and has a CVSS score of 8.8. A path traversal flaw (CWE-22) allows a low-privileged local attacker to execute code with no user interaction and low attack complexity. An attacker that can run an untrusted container configured with hostNetwork could send specially crafted requests to a host-level service not intended for unauthenticated access, potentially break out of the container, and gain control of the AKS worker node. Successful exploitation has a changed scope, meaning impact could extend beyond the container to resources managed by a different security authority.

Critical Remote Code Execution Vulnerabilities in Remote Desktop Client

Seven Critical RCE vulnerabilities affecting the Remote Desktop Client were patched this month, with CVSS scores ranging from 7.5 to 8.8. All seven share a common exploitation theme: An attacker with control of a malicious Remote Desktop server could execute code on a victim's machine when the victim connects using a vulnerable Remote Desktop Client.

CVE-2026-47289, CVE-2026-42992, and CVE-2026-44799 stem from heap-based buffer overflow flaws (CWE-122). CVE-2026-47289 has low attack complexity and exploits the connection process by presenting a specially crafted RDP certificate; when the client processes the malformed certificate, the attacker could execute code on the user's device with the same privileges as the connecting user. CVE-2026-42992 and CVE-2026-44799 have high attack complexity, requiring an attacker to take additional preparatory actions before exploitation.

CVE-2026-42985, CVE-2026-44801, CVE-2026-47654, and CVE-2026-48563 stem from use-after-free flaws (CWE-416). In all four cases, an attacker with control of a Remote Desktop server could trigger RCE on a victim's machine upon connection. CVE-2026-47654 and CVE-2026-48563 additionally require an attacker to win a race condition, while CVE-2026-44801 requires additional preparatory actions prior to exploitation.

Critical Vulnerability in Microsoft Cryptographic Services

CVE-2026-44810 is a Critical elevation of privilege vulnerability affecting Microsoft Cryptographic Services and has a CVSS score of 8.4. This improper authentication flaw (CWE-287) allows an unauthenticated local attacker to elevate privileges with no user interaction and low attack complexity. An attacker could exploit this either by logging on to the system and running a specially crafted application, or by convincing a local user to open a malicious file. Successful exploitation could grant an attacker SYSTEM privileges.

Critical Vulnerabilities in Microsoft Office 

CVE-2026-45461, CVE-2026-45463, CVE-2026-45472, and CVE-2026-45474 are Critical RCE vulnerabilities in Microsoft Office, all with a CVSS score of 8.4. These vulnerabilities allow unauthorized attackers to execute arbitrary code locally through use-after-free flaws (CVE-2026-45461, CVE-2026-45472, CVE-2026-45474) and an integer underflow flaw (CVE-2026-45463). 

CVE-2026-45460 is a Critical information disclosure vulnerability affecting Microsoft Office and has a CVSS score of 4.7. A buffer over-read flaw (CWE-126) could allow an unauthorized attacker to disclose information locally. An attacker that successfully exploited this vulnerability could potentially read small portions of heap memory.

The Preview Pane is an attack vector for all five vulnerabilities.

Critical Vulnerabilities in Windows Hyper-V

CVE-2026-45607 and CVE-2026-45641 are Critical RCE vulnerabilities affecting Windows Hyper-V, both with a CVSS score of 8.4. Both share a common exploitation path: An authenticated attacker on a guest VM could send specially crafted file operation requests to hardware resources on the VM, resulting in RCE on the host server. CVE-2026-45607 stems from an out-of-bounds read flaw (CWE-125), while CVE-2026-45641 stems from a type confusion flaw (CWE-843). Both require no user interaction and have low attack complexity.

CVE-2026-47652 is a Critical RCE vulnerability affecting Windows Hyper-V and has a CVSS score of 8.2, stemming from a heap-based buffer overflow flaw (CWE-122). An attacker could issue a specially crafted hypercall with a maliciously large or malformed payload size from within a virtualized environment, triggering a buffer overflow in the hypervisor during memory operations. Unlike the other two, this vulnerability requires high privileges to exploit.

Critical Vulnerabilities in Microsoft Outlook and Word

CVE-2026-45456, CVE-2026-45458, and CVE-2026-47635 are Critical RCE vulnerabilities affecting Microsoft Outlook and Word, all with a CVSS score of 8.4. These vulnerabilities allow unauthorized attackers to execute arbitrary code locally through a type confusion flaw (CVE-2026-45456), a use-after-free flaw (CVE-2026-45458), and a heap-based buffer overflow flaw (CVE-2026-47635). The Preview Pane is an attack vector for all three vulnerabilities.

Critical Vulnerability in Windows Deployment Services

CVE-2026-42987 is a Critical RCE vulnerability affecting Windows Deployment Services (WDS) and has a CVSS score of 8.1. This use-after-free flaw (CWE-416) could allow an unauthorized remote attacker to execute arbitrary code over a network. Successful exploitation requires an attacker to win a race condition.

An attacker could exploit this vulnerability by sending specially crafted network requests to a Windows Server system with the WDS role enabled that is listening for TFTP traffic. By triggering an error in how the server handles simultaneous requests, an unauthenticated remote attacker could cause the service to use invalid memory, potentially allowing code execution on the affected server.

Critical Vulnerability in Windows Device Health Attestation

CVE-2026-33828 is a Critical elevation of privilege vulnerability affecting Windows Device Health Attestation (DHA) and has a CVSS score of 7.8. DHA is a Windows security feature that verifies the integrity of a device's boot process and security configuration. This trust boundary violation flaw (CWE-501) allows a low-privileged local attacker to undermine the trustworthiness of attestation reports and elevate privileges to gain SYSTEM-level control with no user interaction and low attack complexity.

Critical Vulnerability in Windows Media

CVE-2026-48574 is a Critical RCE vulnerability affecting Windows Media and has a CVSS score of 7.8. This heap-based buffer overflow flaw (CWE-122) allows an attacker to execute arbitrary code on a target system by convincing a user to interact with a specially crafted file. Despite the RCE classification, the attack vector is local, meaning the attacker must rely on user interaction to trigger the vulnerability rather than reaching the target directly over a network.

Critical Vulnerabilities in Windows Graphics Component

CVE-2026-44803 and CVE-2026-44812 are Critical RCE vulnerabilities affecting the Windows Graphics Component, both with a CVSS score of 7.8. Both stem from integer overflow flaws (CWE-190) in Windows Win32K - GRFX and require user interaction to exploit. An attacker could trigger code execution by convincing a user to view a specially crafted file in the Windows File Explorer Preview Pane or by opening the file directly. Despite the RCE classification, the attack vector is local, meaning the attacker must rely on user interaction rather than reaching the target directly over a network.

Critical Vulnerability in Windows Kerberos Key Distribution Center

CVE-2026-47288 is a Critical RCE vulnerability affecting the Windows Kerberos Key Distribution Center (KDC) and has a CVSS score of 7.1. The KDC is the authentication service that runs on every Active Directory domain controller; it’s responsible for issuing Kerberos tickets across the domain. A vulnerability here could allow attackers to target the most sensitive servers in an enterprise environment. This integer overflow or wraparound flaw (CWE-190) in Windows Kerberos could allow an authorized attacker to execute code over an adjacent network. Successful exploitation requires an attacker to prepare the target environment to improve exploit reliability.

An attacker already authenticated to the domain could send specially crafted authentication-related data to a domain controller, causing the affected Windows component to incorrectly handle memory. This could allow the attacker to disrupt the service or gain higher privileges on the domain controller without any user interaction.

Critical Vulnerability in Azure HorizonDB

CVE-2026-48567 is a Critical elevation of privilege vulnerability affecting Azure HorizonDB and has a CVSS score of 10.0. Azure HorizonDB is a cloud-native distributed database service; an authentication bypass here could allow attackers to gain unauthorized control over database resources and potentially the data they host. 

Microsoft has proactively remediated this vulnerability within its cloud infrastructure without requiring any customer intervention.

Critical Vulnerability in Microsoft Exchange Online

CVE-2026-48579 is a Critical information disclosure vulnerability affecting Microsoft Exchange Online and has a CVSS score of 9.1. An improper authorization flaw (CWE-285) allows unauthenticated remote attackers to disclose sensitive information over a network with no user interaction and low attack complexity, with high confidentiality and integrity impact.

Microsoft has proactively remediated this vulnerability within its cloud infrastructure without requiring any customer intervention.

Critical Vulnerabilities in Microsoft M365 Copilot

CVE-2026-45497 and CVE-2026-42824 are Critical vulnerabilities affecting Microsoft M365 Copilot, with CVSS scores of 7.7 and 6.5, respectively. Both stem from command injection flaws (CWE-77).

CVE-2026-45497 is an RCE vulnerability that allows low-privileged remote attackers to execute code over a network with high attack complexity and a changed scope. CVE-2026-42824 is an information disclosure vulnerability that allows unauthenticated remote attackers to disclose sensitive information over a network, requiring user interaction to exploit.

Microsoft has proactively remediated these vulnerabilities within its cloud infrastructure without requiring any customer intervention.

Critical Vulnerability in Copilot Chat (Microsoft Edge)

CVE-2026-47644 is a Critical information disclosure vulnerability affecting Copilot Chat in Microsoft Edge and has a CVSS score of 6.5. An injection flaw (CWE-74) allows unauthenticated remote attackers to disclose sensitive information over a network. User interaction is required for exploitation.

Microsoft has proactively remediated this vulnerability within its cloud infrastructure without requiring any customer intervention.

Critical Vulnerability in Microsoft Graph

CVE-2026-47655 is a Critical information disclosure vulnerability affecting Microsoft Graph and has a CVSS score of 6.5. Microsoft Graph is the API platform that connects Microsoft 365 services and data; an information disclosure vulnerability here could expose sensitive organizational data across connected Microsoft cloud services. This exposure of sensitive information flaw (CWE-200) allows low-privileged remote attackers to disclose sensitive information over a network with no user interaction required.

Microsoft has proactively remediated this vulnerability within its cloud infrastructure without requiring any customer intervention.

Patch Tuesday Dashboard in the Falcon Platform

For a visual overview of the systems impacted by this month’s vulnerabilities, you can use our Patch Tuesday dashboard. This can be found in the CrowdStrike Falcon® platform within the Exposure Management > Vulnerability Management > Dashboards page. The preset dashboards show the most recent three months of Patch Tuesday vulnerabilities.

New AI-Powered Capabilities in Falcon Exposure Management 

With CrowdStrike Falcon® Exposure Management, you can automatically classify and prioritize assets, show attack paths targeting client-side exploitation of devices, and integrate with CrowdStrike Falcon® Next-Gen SIEM. Learn more in this blog post:

Falcon Exposure Management’s AI-Powered Risk Prioritization Shows Organizations What to Fix First

Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies

As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists. 

Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization's methods for cybersecurity and improve your overall security posture.

Learn More

The CrowdStrike Falcon platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.

Learn more about how CrowdStrike Falcon® Exposure Management can help you quickly and easily discover and prioritize vulnerabilities and other types of exposures here.

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.

Additional Resources

• For more information on which products are in Microsoft’s Extended Security Updates program, refer to the vendor guidance here.
• Learn how Falcon Exposure Management can help you discover and manage vulnerabilities and other exposures in your environments. 
• Make prioritization painless and efficient. Watch how Falcon Exposure Management enables IT staff to improve visibility with custom filters and team dashboards.
• Find out how CrowdStrike Falcon® Next-Gen Identity Security products can stop workforce identity threats faster.
• Test CrowdStrike next-gen antivirus for yourself with a free trial of CrowdStrike® Falcon Prevent™.
• Be part of Fal.Con 2026 and connect with 10,000+ cybersecurity professionals shaping the future of the industry.